Press

AS9100D – Risk Management vs Risk-Based Thinking: Just What is the Difference?

Risk-Based Thinking requires organizations to consider the risks they face during strategic planning, planning for product and service conformity, management review, and when taking corrective action. The idea is that the organization works to identify risks, decides if action is required, and if applicable, takes action. That said, It is important to note that it is not necessary to track the risk as the project progresses to judge the effectiveness of the action, and whether additional action is necessary.

Risk Management, on the other hand, is a process for identifying risks, determining actions to mitigate those risks, tracking those actions, and then re-assessing any remaining risk after actions are deployed. It involves not just thinking about risk at certain stages during the realization of products and services, but also having a process to track these risks until they are addressed, mitigated, or eliminated.

What is required for operational risk management, and what isn’t?

To start with what is not required – there is a note specifying that while clause 6.1 “Actions to address risks and opportunities” addresses the risks and opportunities for the QMS, clause 8.1.1 “Operational Risk Management” is limited to risks that are associated with operational processes needed by the organization to provide its’ products and services. Therefore, while your organization may identify a QMS risk that your organization might soon have a rival company to compete with, this is not a risk that needs to be tracked according to the risk management requirements, as it is not an operational risk.

There are at least five requirements that an organization needs to consider during the planning, implementation, and control of the operational risk management process. They are:

Assign Responsibilities – Who owns the process? Who constitutes the Team? Which departments need to be included? If actions are likely to be assigned to a certain department or function, it is best to have them involved in the whole management process.

Determine Risk Assessment Criteria – What criteria will be used for risk assessment? How will you quantify which risks to accept and what you will mitigate? A note in this clause states that within the aviation, space, and defense industry, risk is generally expressed in terms of the likelihood of the occurrence and the severity of the consequences (a good example of this might be Failure Mode Effects Analysis or FMEA).

Identify, Assess, and Communicate Risks – Any risk of product failure due to must be communicated to those who design and realize the product. Without effective communication, risk identification is ineffective.

Identify, Implement, and Manage Mitigation Actions – There are a multitude of ways to address risk, ranging from risk reduction all the way to complete elimination of the risk – or, in other words, try to prevent the risk from happening. If a risk exceeds your acceptable criteria, take actions to address the risk and track those actions.

Re-evaluate the Risk that remains when mitigation is complete, and continue to work to reduce it – Risk management is an iterative process, where the risk can always be reduced.

Has anything really changed from AS9100 Rev C?

The requirements have remained greatly unchanged since the past revision. Risk management process requirements were already included in AS9100 Rev C as risk management, and the five requirements have remained basically as they were. The real change here is the clarification that these requirements only applied to operational risk, hence the name change in the clause. The other change from Rev C is the addition of the two notes to clarify how these requirements are separate from risk-based thinking and to make it clear that risk in aerospace is a combination of likelihood and severity. For organizations that are already compliant with AS9100 Rev C, the current risk management process should most likely remain unchanged.

D. Suppliers, vendors and subcontractors are now defined as “External Providers”

Better accommodates service organizations.

E. Elimination of Required Content

ISO 9001:2015 does not specifically require any of the following:

a) Quality Manual
b) Procedures Manual
c) Work Instructions

Theoretically, an organization can achieve certification without these documents. Auditors will still be required to verify consistency with applicable requirements. Thus, the organization must be prepared to show effectiveness of processes in whatever activity is being reviewed. If this can be demonstrated without a procedure/quality manual, then it is acceptable.

F. Elimination of the Management Representative

“Management Representative” does not appear within the ISO 9001:2015 standard.

The implication is that while this terminology has been eliminated, many of this party’s key functions should now fall to top management itself.

Elimination of Permissible Exclusions

ISO 9001:2015 has removed all verbiage related to “Permissible Exclusions.”

Organizations can now claim any item from ISO 9001:2015 under a “Non-Applicable” designation.

No difference from ISO 9001:2008, other than the scope of what can be claimed for exemption now encompasses the entire standard

Interested Parties

ISO 9001:2015 includes a new term, “Interested Parties”, intended to be applied to all Annex SL based standard.

Definition –“Person or organization that can affect, be affect by, or perceive themselves to be affected by a decision or activity.” Examples given include customers, staff, the organization, suppliers, bankers, unions, partners, and even competitors.

Clause 4.2 requires that organization determine who their interested parties are, but emphasizes those “relevant to the quality management system.”

IV. Annex SL

A. Annex SL was first published in 2012, the output of a special committee of the ISO – The Joint Technical Coordination Group (JTCG.)

B. The Annex is a 10 section “blueprint” for authoring all of the ISO family of standards.

D. Eventual plan calls for full transition of all ISO standards to Annex SL structure by 2016 or 2017

Annex SL

1 Scope

2 Normative references

3 Terms and definitions

4 Context of the organization

understanding the organization and its context

understanding the needs and expectations of interested parties

determining the scope of the quality management system

quality management system and its processes

5 Leadership and Commitment

general

customer focus

policy

organizational roles, responsibility and authority

6 Planning

actions to address risks and opportunities

quality objectives and planning to achieve them

planning of changes

7 Support

resources

competence

awareness

communication

documented information

8 Operation

operational planning and control

requirements for products and services

design and development of products and services

control of externally provided processes, products, and services

production and service provision

release of products and services

control of nonconforming outputs

9 Performance evaluation

monitoring, measurement, analysis and evaluation

internal audit

management review

10 Improvement

general

non-conformity and corrective action

continual improvement

V.RISK

A. The term “risk” is used 16 times in the auditable language of the FDIS 9001;

B. A formal/documented Risk Management Process is NOT specifically required

C. Expands the notion of Risk aversion to one that affects all of the various areas of the Quality Management System.

D. Clause 6.1.1 of the FDIS 9001 standard states:

When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:

E. Clause 6.1.2 of the FDIS 9001 standard states:

integrate & implement the actions into its quality management system processes (see 4.4) evaluate the effectiveness of these actions

Actions taken to address risks and opportunities shall be proportionate to the potential impact on the conformity of products and services.

NOTE 1 – Options to address risks can include avoiding risk, taking risk in order to pursue an opportunity, eliminating the risk source, changing the likelihood or consequences, sharing the risk, or retaining risk by informed decision.

NOTE 2 – Opportunities can lead to the adoption of new practices, launching new products, opening new markets, addressing new clients, building partnerships, using new technology and other desirable and viable possibilities to address the organization’s or its customers’ needs.

2.2 Training (an assessment of competency needs with steps taken to ensure that personnel are fully qualified and competent.)

2.2 Review of Requirements related to the Product (an assessment of customer expectations against your current capabilities with steps taken to resolve discrepancies),

5.3 Preventive Action (an assessment of potential problems with actions taken to avoid those issues in the first place)

SECTION BY SECTION ANALYSIS

INTRODUCTION SECTION

0.1 – General

Provides an overview statement, intentions on whom the standard benefits, introduces the ideas of Risk Based Thinking, PDCA, and explains four key terms (of which three are formally defined for the first time):

0.4 – Relationship with other management system standards (ISO 9000 and ISO 9004)

Sections 1-3 – Not specifically auditable (as before)

Section 4 – Context of the Organization

Similar to ISO 9001:2008 Clause 4.0 – Quality Management System

Key new questions:

A. What purpose does the organization serve?
B. Who does it exist for?
C. Who are the interested parties?
D. Does any part(s) of the ISO 9001:2015 standard qualify for a “non-applicable” designation?

Section 5 – Leadership

Key new questions:

A. Is a Leadership structure evident?
B. Is Leadership accountable for the effectiveness (or lack thereof) of the QMS?
C. Has Leadership ensured that the Quality Policy/Objectives are consistent with the strategic direction of the company?
E.Is the QMS integrated into the business processes?

Section 6 – Planning for the quality management system

Key new questions:

A. Have all risks (and opportunities) been considered?
B. Have actions been taken or planned for said risks?
C. With regards to Quality Objectives –
D. Who will be responsible?
E. What is the target date?
F. What is to be accomplished?

Section 7 – Support

A.Similar to ISO 9001:2008 Section 6.0 – Resource Management
B. One very slightly new area of content is provided in clause 7.1.6 that asks the following

key new question:

a.“Has the organization considered changing needs and trends versus its current competency base and determined what is needed for the future?”

Section 8 – Operation

A. Very similar to ISO 9001:2008 Section 7.0 – Product Realization, and parts of Section 8.0

Section 9 – Monitoring, Measurement, Analysis, and Evaluation

A. Similar to ISO 9001:2008 Section 8.0 – Measurement, Analysis, and Improvement, includes content from Section 5.0 – this is now where Management Review (5.6) is found

VII. WHAT ABOUT THE OTHER STANDARDS?

A. Most of the major sector specific standards, including TS 16949 (automotive), AS9100 (aerospace), and TL9000 (telecommunications) have indicated intentions to transition and continue alignment with ISO 9001. (ISO 14001 will also follow suit, and is being rolled out at the time of this report).
B. Precise timelines for these other standard updates are to be announced, but a 2016 publication date seems likely for all three.
C. At present the only major standard not planning to continue alignment to ISO 9001 is ISO 13485 (medical devices,) currently in the midst of its own update with a targeted publication of early 2016

VIII. WHAT SHOULD BE DONE NOW?

A. Companies at various stages of implementing new quality management systems in accordance with ISO 9001:2008 may question if there is still value in registering to ISO 9001:2008.

Important to note that ISO 9001:2008 still has at least 3 years of usability left in it.

Equally important to note that the very first audits later this year to ISO 9001:2015 may be somewhat challenging for both auditee and auditor.

B. Companies currently holding ISO 9001:2008 registrations seeking to transition – International Accreditation Forum (IAF) has published an Informative Document (ID 9) which recommends the following steps be taken in a transition to ISO 9001:2015.

Top down Gap Analysis of the ISO 9001:2015 standard to identify the gaps that need to be addressed.

Development of an implementation plan with assigned responsibilities, and milestones.

Review and update of all quality management system documents (including the quality and procedures manual new or revised processes.

Awareness and transition training.

Full system internal audit followed by a Management Review.

Full round of Corrective and Preventive Actions.

Management Review and closure of any open findings should be in process or complete.

For many industries and organizations around the world, ISO 9001 has evolved to become the foundational quality standard on which their complete quality management system is built.

However, as the integration of technology has changed many aspects of systems and operations in recent years, a degree of inflexibility and rigidness in the current ISO 9001:2008 standard was exposed. This latest revision-due to be published in September, 2015-will allow organizations to be more flexible in how they apply the standards and practices of IS0 9001 in the context of their unique processes, technologies and business needs.

The following questions and answers have been chosen for inclusion in this FAQ and organized by topic to facilitate organizations’ understanding of the changes afoot and how they will impact their business.

Where can I learn about the new structure of ISO 9001:2015?

Quality Resource Center has produced an abundance of materials that include overviews and analysis of the new high-level structure of ISO 9001, Annex SL. Quality Resource Center offers a full suite of value added training, including on-site, web based, as well are our state of the art training facility in northern California. The materials are available on the website.

You may also contact Quality Resource Center with any questions at certification through our web portal or by simply calling 1 800 244 5409.

When will the final version of ISO 9001:2015 be published, and where can I get a copy?

Timeline for publication and implementation of ISO 9001:2015

July- October 2014: Comments on DIS were submitted

July 2015 Final Draft International Standard FDIS issued

September 2015 (estimate): ISO 9001:2015 issued

September 2015- September 2018: Transition period. All current registrations to ISO 9001:2008 must be transitioned to the 2015 revision by this time, or they will lapse.

When should I start transitioning to ISO 9001:2015, and what should I do to prepare?

It would be prudent to begin planning discussions now based on the DIS, but hold off on taking any major action until the standard is published and the transition officially begins in September, 2015. One thing you can do is start taking inventory of your current processes and comparing them to the new high level structure proposed in the Dl S.

How much longer will ISO 9001:2008 compliance be recognized?

Conformance to the current standard will be recognized through the end of the three-year transition period, which is due to end September, 2018. Organizations can request to be audited to the FDIS when it is issued. The issuance of certificates is an Assurance Group decision. All organizations must transit ion to the new standard by the end of the transition period.

Are Organizations Permitted to Upgrade During Their Scheduled Re-certifications in 2016?

Yes, as long as your systems conform to the standards set forth in ISO 9001:2015.

Our Organization is Currently Implementing or Considering Certification to ISO 9001:2008. What is the Best Course of Action?

Continue as planned; there are three full years to achieve certification to ISO 9001:2015 after its publication in September, 2015. That said, Quality Resource Center can help to familiarize Organizations with the new high-level structure, so systems designed or upgraded with an eye toward the future.

Will the Transition Require Additional Resources Either in Budgets or Time?

Quite likely, but it will depend upon the current status of an Organization’s management system. Areas that will be impacted include personnel time developing or modifying current systems and processes to meet the new requirements.

For more information regarding how the ISO 9001:2015 might impact your organization, Quality Resource Center offer detailed ISO 9001:2015 GAP Analysis services that can assist in identifying where the audit against the revised standard will differ from your existing programme.

When May I begin transitioning? Do I Need to Wait Until My Surveillance Audit?

The transition process may commence as soon as the official three-year transition begins. While it is permissible to outside of your scheduled surveillance but it is more efficient to do an upgrade audit to ISO 9001:2015 during regularly scheduled surveillance audits.

How can Progress Best Be Measured During the Transition Process?

Quality Resource Center works closely with Organizations to develop approaches enable progress to be tracked towards the new standard and ensure proper training, support, and execution every step of the way. If you are implementing the standard for the first time, Quality Resource Center offers full turn-key solutions that offer maximum value with minimum risk.

When will auditor training be available for ISO 9001:2015?

Internal auditor training and certification will be available following publication of the FDIS in 2015; the rules and requirements have not yet been finalized. If your organization has a robust Internal Audit process, the auditing techniques should not change. However, the criteria you audit against and the scope of your audits will definitely be affected.

Quality Resource Center will provide customers with additional information as it becomes available. We also have a series of interactive webinars already scheduled, and public training courses on the transition all over North America. We also have a series of interactive webinars already scheduled, and public training courses on the transition a II over North America.

ISO 14001 Is Being Revised Along With ISO 9001. Will the Impact Organizations Utilizing Both Standards?

ISO 9001:2015 and ISO 14001:2015 will be more closely aligned than ever, as both standards will utilize the same high-level structure defined in Annex SL. Upwards of 30% of the language in the two management system standards will be identical. ISO 14001:2015 should be issued in September 2015 along with ISO 9001:2015 if everything goes according to plan.

What Impact Will the Revisions Have On ISO/TS 16949:2009 Automotive Standard?

The automotive industry is not enamored with the revisions to ISO 9001. Currently they are opting out of participating in the revision process in favor of creating their own standard. While the automotive group could certainly change their position between now and when the standard is finally issued in September 2015, no definitive position has been determined.

We Are Certified to AS 9100C. Are there any plans to revise this standard to accommodate new ISO 9001:2015 requirements?

AS 9100 will adopt the requirements of ISO 9001:2015 when the new standard is revised in 2016.

Is the ISO 13485 Medical Device Standard Changing As A Result Of The Updates To ISO 9001?

The draft ISO 13485:2015 is based on the clause structure in ISO 9001:2008, not the new requirements and clause structure of ISO 9001:2015 using Annex SL.

Tables correlating ISO 9001 and the previous version of ISO 13485 have been included in the document.

Similar to ISO 9001:2015, there will be a transition period for organizations upgrading from the 2003 revision to the ISO 13485:2015 standard. The date of the ISO 13485 transition has not been announced as yet.

The supplementary Annex Z in support of the European Medical Devices Directives has been included in anticipation of the next revision of ISO 13485 being harmonized under the three Medical Device Directives.

This means ISO 13485 and EN ISO 13485 will be published in a similar timeframe. Organizations can then use the Harmonized Standard with in Europe which provides for the “Presumption of Conformity” under the applicable clauses of the Directives. This revision has also been drafted recognizing that it will have to support the existing European Medical Devices Directives and the proposed European Medical Device Regulations when they are published in the future. Some of the content has therefore been specifically drafted to accommodate this requirement.

Where does Plan-Do-Check-Act (PDCA) Fit In With The New Standard?

Of course. The new standard is still built around the PDCA cycle. It’s featured prominently on page 8 of the Draft International Standard.

Will FMEA’s and Control Plans be required under ISO 9001:2015?

Although very valuable tools, FMEA’s and Control Plans are not required by ISO 9001:2015. Your organization could apply these tools as their approach to meet the requirements. Properly developed Control Plans would satisfy many of the requirements for section 8. FMEA’s are a useful tool to identify prioritize, and mitigate areas of risk required in section 6.

What Is The Practical Impact Of Eliminating The Management Representative?

The management system still needs a champion and a spokesperson, but it does not automatically mean that this is the quality manager-or any one person. Optimally, these duties would be shared by a member(s) of the leadership team. Once the management system has been implemented, this person’s role should transform into being a facilitator of continual improvement. It should be noted that while the requirement for a designated Management Representative has been removed from the DIS, the responsibilities that were attributed to this position are still retained in the standard.

What Suggestions Are There For Organizations Wishing To Begin Preparing For ISO 9001:2015?

Have a GAP Analysis performed and review the results. Identify Actions to fill the GAP’s.

Train managers that will be affected by the proposed changes. Help them gain a comprehensive understanding of the issues at hand and help them begin to strategize an action plan for implementation

If you have certification to more than one standard, look at where management system integration might be possible and beneficial. Make this part of the GAP Analysis.

Talk to one of our representatives and ask how we can support your organization

I have an integrated management system based on ISO 14001 and OHSAS 18001-how will the revisions to ISO 9001 and these standards affect me?

The changes make system integration much easier as there will be greater alignment among these standards. But with differing projected publication dates and trans-national, you should plan your transitions carefully to retain certification on each.

It may be beneficial to acquire a copy of PAS 99, It offers valuable guidance on the design and structure of an integrated management system.

Is There A Requirement For a Quality Manual in ISO 9001:2015?

ISO 9001:2015 does not require a quality manual. The question each organization should consider is whether or not having one is beneficial to the organization. If it is used as intended in 9001:2008-an introduction to the management system that acts as a guide or roadmap to the overall system-then by all means have one. Quality Resource Center strongly recommends the Organizations maintain a Quality Manual.

What Are The Guidelines Like For Internal Audits Under ISO 9001:2015?

Refer to section 9.2.2 Internal Audit –

9.2.2

“The organization shall:

a) plan, establish, implement and maintain an audit programme(s) including the frequency, methods, responsibilities, planning requirements and reporting, which shall take into consideration the quality objectives, the importance of the processes concerned, customer feedback, changes impacting on the organization, and the results of previous audits;

b) define the audit criteria and scope for each audit

c) select auditors and conduct audits to ensure objectivity and the impartiality of the audit process”

These requirements have been clarified from those in 9001:2008. Audits are still required to be conducted at planned (scheduled) intervals. Organizations need to establish goals, priorities, and objectives and align them to drive their decisions with respect to the audit function. Many of factors go into the development of an audit program, risk is being only one of them. Other things to consider: complexity and current state of the process or areas involved, and potential impact on customers and the Organization.

What Are The Key to Requirements for Design and Development of Products and Services? Will there be Requirements for Process Design?

Much of what is now required under ISO 9001:2015was implied and would have been considered good practices under ISO 9001:2008. Section 8.3 “Design and Development of Products and Services” enhances the requirements found in section 7.3 of ISO 9001:2008, which dealt with product design. Some of the requirements have been reorganized (i.e. verification and validation have been consolidated in one section 8.3.4 “Design and Development Controls”). Technically, manufacturing process design is not included. However, a note at the end of section 8.3.1 encourages organizations to apply these same principles to process design and development.

Can you summarize the new approach to Preventative Action in ISO 9001:2015?

Organizations must understand their organization’s business context (Clause 4.1) and determine the risks and opportunities that need to be addressed (Clause 6.1). One of the key purposes of a quality management system is to act as a preventive tool. Consequently, the new standard does not have a separate clause or sub-clause titled “Preventive Action.” Instead, the concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements. This resulted in a reduction of prescriptive requirements, which have been replaced by performance-based requirements. Although risks and opportunities have to be determined and addressed, there is no requirement for formal risk management or a documented risk management process. The implication is the entire management system, properly implemented, should function as a preventive tool.

Does Compliance With ISO 31000 Satisfy The Risk Management Requirements in ISO 9001:2015?

Clearly an Organization could apply the requirements of a risk management system as defined in ISO 31000 and more than meet the requirements for risk based thinking in ISO 9001:2015. While the standard does not require a formal risk management approach, organizations must identify and understand their business environment in the broadest of terms and the resulting potential risks they face. Armed with this data the organization can then develop and deploy an effective management system to control, mitigate, and eliminate these risks.

Is there a summary of the changes between ISO 9001:2008 and 9001:2015 available?

Yes. Quality Resource Center provides this summary and has made it discuss it at our training courses, both classroom and interactive webinars

How can Quality Resource Center provide support through the transition process?

Quality Resource Center will have the latest up-to-date information on the ISO 9001 revision all the way up to the planned publication in September, 2015. Upon publication, we can advise you on what to do to meet the new requirements.

Ultimately, it is up to you to plan and implement the changes, but Quality Resource Center will provide all the support you need to make the best possible decisions.

What training will be available?

Yes, we have a series of interactive webinars already scheduled, and public training courses on the transition all over North America.

I have questions about my certification I need to answer right now. Who should I call?

ISO 9001 and ISO 14001 are under revision with updated versions due by the end of 2015.

FAQ

Why is ISO 9001 being revised?

All ISO standards are reviewed every five years to establish if a revision is required to keep it current and relevant for the marketplace. The future ISO 9001:2015 will respond to the latest trends and be compatible with other management systems such as ISO 14001:2015.

Where are we at in the revision process?

ISO 9001 is currently nearing the Final Draft International Stage (FDIS ballot expected by July), the fifth stage of a six stage process, whereby the ISO subcommittee revising the standard will now go through all the comments received during the DIS vote in order to produce a final draft which will then be put forward to all ISO members for voting.

What is the next step?

Once all comments have been considered a final draft will be produced and put forward to ISO members for voting.

When will the new version be published?

ISO 9001:2015 will be published by the end of 2015.

What will be the main changes to the standard?

The new version follows a new, higher level structure designed to make it easier to use in conjunction with other management system standards, with increased importance given to risk.

I am certified to ISO 9001:2008. What does this mean for me?

Organizations are granted a three-year transition period after the revision has been published to migrate their quality management system to the new edition of the standard.

How do I find out more?

Contact Quality Resource Center as soon as possible for more information on how the FDIS is proceeding.

TRANSITION PLANNING GUIDANCE FOR ISO 9001:2015 & ISO 14001:2015

Parties who will benefit from this guidance include but are not limited to –

Organizations using ISO 9001:2008

Accreditation bodies (AB’s)

Certification bodies (CB’s)

Training bodies and consultants

Changes

The ISO 9001:2015 revision introduces significant changes and will be published in September 2015. It is is based on Annex SL of the ISO Directives, a high-level structure (HLS) which standardizes sub clause titles, core text, common terms and core definitions to enhance compatibility and alignment with other ISO management system standards. Main changes in the new version of ISO 9001:2015 are:

Adoption of the HLS as set out in Annex SL of ISO Directives Part One

Explicit requirement for risk-based analysis to augment and improve the understanding and application of the process approach

The International Accreditation Forum (IAF), which monitors certifications/accreditations, and the ISO Committee on Conformity Assessment (CASCO) have agreed to a three year transition period from the publication date of ISO 9001:2015. The transition period will begin in September 2015 and end in September 2018.

ISO 9001:2008 certifications will not be valid after the end of September 2018. From March 2017 all initial certifications under accreditation shall be to ISO 9001:2015.

Guidance for transition

The degree of change necessary for any organization will be dependent upon the maturity and effectiveness of the current management system, its organizational structure and practices. Thus, an impact assessment is strongly recommended in order to identify realistic resource and time implications prior to initiation of any changes.

Specific guidance for parties involved in certification and accreditation –

Organizations operating under ISO 9001:2008 are encouraged to take the following actions-

Identify organizational gaps which need to be addressed to meet new requirements